[APPSEC] use http endpoint on api security sampling algorithm when route is not available (#7062)

IlyasShabi · web-flow · commit b9ea9c5232e8 · 2026-03-12T11:49:30.000+01:00
Use http endpoint on api security sampling algorithm when route is not available
diff --git a/packages/dd-trace/src/appsec/api_security_sampler.js b/packages/dd-trace/src/appsec/api_security_sampler.js
@@ -70,15 +70,36 @@ function isSampled (key) {
   return sampledRequests.has(key)
 }
 
+function getRouteOrEndpoint (context, statusCode) {
+  // First try to get the route from the context paths
+  const route = context?.paths?.join('') || ''
+  if (route) {
+    return route
+  }
+
+  // If route is not available, fallback to http.endpoint
+  if (statusCode !== 404) {
+    const endpoint = context?.span?.context()?._tags?.['http.endpoint']
+    if (endpoint) {
+      return endpoint
+    }
+  }
+
+  return ''
+}
+
 function computeKey (req, res) {
-  const route = web.getContext(req)?.paths?.join('') || ''
   const method = req.method
   const status = res.statusCode
 
   if (!method || !status) {
     log.warn('[ASM] Unsupported groupkey for API security')
     return null
   }
+
+  const context = web.getContext(req)
+  const route = getRouteOrEndpoint(context, status)
+
   return method + route + status
 }
 
diff --git a/packages/dd-trace/src/appsec/index.js b/packages/dd-trace/src/appsec/index.js
@@ -233,6 +233,9 @@ function incomingHttpEndTranslator ({ req, res }) {
     persistent[addresses.HTTP_INCOMING_QUERY] = query
   }
 
+  // This hook runs before span finish, so ensure route/endpoint tags are available before API Security sampling runs.
+  web.setRouteOrEndpointTag(req)
+
   if (apiSecuritySampler.sampleRequest(req, res, true)) {
     persistent[addresses.WAF_CONTEXT_PROCESSOR] = { 'extract-schema': true }
   }
diff --git a/packages/dd-trace/src/appsec/reporter.js b/packages/dd-trace/src/appsec/reporter.js
@@ -300,9 +300,11 @@ function reportWafConfigUpdate (product, rcConfigId, diagnostics, wafVersion) {
   }
 }
 
-function reportMetrics (metrics, raspRule) {
-  const store = storage('legacy').getStore()
-  const rootSpan = store?.req && web.root(store.req)
+function reportMetrics (metrics, raspRule, req) {
+  if (!req) {
+    req = storage('legacy').getStore()?.req
+  }
+  const rootSpan = req && web.root(req)
 
   if (!rootSpan) return
 
@@ -311,9 +313,9 @@ function reportMetrics (metrics, raspRule) {
   }
 
   if (raspRule) {
-    updateRaspRequestsMetricTags(metrics, store.req, raspRule)
+    updateRaspRequestsMetricTags(metrics, req, raspRule)
   } else {
-    updateWafRequestsMetricTags(metrics, store.req)
+    updateWafRequestsMetricTags(metrics, req)
   }
 
   reportTruncationMetrics(rootSpan, metrics)
@@ -333,9 +335,11 @@ function reportTruncationMetrics (rootSpan, metrics) {
   }
 }
 
-function reportAttack ({ events: attackData, actions }) {
-  const store = storage('legacy').getStore()
-  const req = store?.req
+function reportAttack ({ events: attackData, actions }, req) {
+  if (!req) {
+    req = storage('legacy').getStore()?.req
+  }
+
   const rootSpan = web.root(req)
   if (!rootSpan) return
 
@@ -473,10 +477,13 @@ function isSchemaAttribute (attribute) {
   return attribute.startsWith('_dd.appsec.s.')
 }
 
-function reportAttributes (attributes) {
+function reportAttributes (attributes, req) {
   if (!attributes) return
 
-  const req = storage('legacy').getStore()?.req
+  if (!req) {
+    req = storage('legacy').getStore()?.req
+  }
+
   const rootSpan = web.root(req)
 
   if (!rootSpan) return
diff --git a/packages/dd-trace/src/appsec/waf/index.js b/packages/dd-trace/src/appsec/waf/index.js
@@ -122,7 +122,7 @@ function run (data, req, raspRule) {
   }
 
   const wafContext = waf.wafManager.getWAFContext(req)
-  const result = wafContext.run(data, raspRule)
+  const result = wafContext.run(data, raspRule, req)
 
   if (result?.keep) {
     if (limiter.isAllowed()) {
diff --git a/packages/dd-trace/src/appsec/waf/waf_context_wrapper.js b/packages/dd-trace/src/appsec/waf/waf_context_wrapper.js
@@ -22,7 +22,7 @@ class WAFContextWrapper {
     this.cachedUserIdResults = new Map()
   }
 
-  run ({ persistent, ephemeral }, raspRule) {
+  run ({ persistent, ephemeral }, raspRule, req) {
     if (this.ddwafContext.disposed) {
       log.warn('[ASM] Calling run on a disposed context')
       if (raspRule) {
@@ -141,10 +141,10 @@ class WAFContextWrapper {
       metrics.wafTimeout = result.timeout
 
       if (ruleTriggered) {
-        Reporter.reportAttack(result)
+        Reporter.reportAttack(result, req)
       }
 
-      Reporter.reportAttributes(result.attributes)
+      Reporter.reportAttributes(result.attributes, req)
 
       return result
     } catch (err) {
@@ -156,7 +156,7 @@ class WAFContextWrapper {
         wafRunFinished.publish({ payload })
       }
 
-      Reporter.reportMetrics(metrics, raspRule)
+      Reporter.reportMetrics(metrics, raspRule, req)
     }
   }
 
diff --git a/packages/dd-trace/src/plugins/util/web.js b/packages/dd-trace/src/plugins/util/web.js
@@ -410,6 +410,13 @@ const web = {
       },
     })
   },
+  setRouteOrEndpointTag (req) {
+    const context = contexts.get(req)
+
+    if (!context) return
+
+    applyRouteOrEndpointTag(context)
+  },
 }
 
 function addAllowHeaders (req, res, headers) {
@@ -481,18 +488,9 @@ function addRequestTags (context, spanType) {
 }
 
 function addResponseTags (context) {
-  const { req, res, paths, span, inferredProxySpan, config } = context
+  const { req, res, inferredProxySpan, span } = context
 
-  const route = paths.join('')
-  if (route) {
-    // Use http.route from trusted framework instrumentation
-    span.setTag(HTTP_ROUTE, route)
-  } else if (config.resourceRenamingEnabled) {
-    // Route is unavailable, compute http.endpoint instead
-    const url = span.context()._tags[HTTP_URL]
-    const endpoint = url ? calculateHttpEndpoint(url) : '/'
-    span.setTag(HTTP_ENDPOINT, endpoint)
-  }
+  applyRouteOrEndpointTag(context)
 
   span.addTags({
     [HTTP_STATUS_CODE]: res.statusCode,
@@ -504,6 +502,28 @@ function addResponseTags (context) {
   web.addStatusError(req, res.statusCode)
 }
 
+function applyRouteOrEndpointTag (context) {
+  const { paths, span, config } = context
+  if (!span) return
+  const tags = span.context()._tags
+  const route = paths.join('')
+
+  if (route) {
+    // Use http.route from trusted framework instrumentation.
+    span.setTag(HTTP_ROUTE, route)
+    return
+  }
+
+  if (!config.resourceRenamingEnabled || tags[HTTP_ENDPOINT]) {
+    return
+  }
+
+  // Route is unavailable, compute http.endpoint once.
+  const url = tags[HTTP_URL]
+  const endpoint = url ? calculateHttpEndpoint(url) : '/'
+  span.setTag(HTTP_ENDPOINT, endpoint)
+}
+
 function addResourceTag (context) {
   const { req, span } = context
   const tags = span.context()._tags
diff --git a/packages/dd-trace/test/appsec/api_security_sampler.spec.js b/packages/dd-trace/test/appsec/api_security_sampler.spec.js
@@ -242,4 +242,103 @@ describe('API Security Sampler', () => {
       assert.strictEqual(keepTraceStub.calledOnceWith(span, 'asm'), true)
     })
   })
+
+  describe('http.endpoint', () => {
+    beforeEach(() => {
+      apiSecuritySampler.configure({ appsec: { apiSecurity: { enabled: true, sampleDelay: 30 } } })
+    })
+
+    it('should use http.endpoint when http.route is not available', () => {
+      const spanWithEndpoint = {
+        context: sinon.stub().returns({
+          _sampling: { priority: AUTO_KEEP },
+          _tags: { 'http.endpoint': '/api/users' },
+        }),
+      }
+      webStub.root.returns(spanWithEndpoint)
+      webStub.getContext.returns({ paths: [], span: spanWithEndpoint })
+
+      const key = apiSecuritySampler.computeKey(req, res)
+      assert.equal(key, 'GET/api/users200')
+    })
+
+    it('should not use http.endpoint for 404 status codes', () => {
+      const res404 = { statusCode: 404 }
+      const spanWithEndpoint = {
+        context: sinon.stub().returns({
+          _sampling: { priority: AUTO_KEEP },
+          _tags: { 'http.endpoint': '/api/users' },
+        }),
+      }
+      webStub.root.returns(spanWithEndpoint)
+      webStub.getContext.returns({ paths: [], span: spanWithEndpoint })
+
+      const key = apiSecuritySampler.computeKey(req, res404)
+      assert.equal(key, 'GET404')
+    })
+
+    it('should prefer http.route over http.endpoint when both are available', () => {
+      const spanWithBoth = {
+        context: sinon.stub().returns({
+          _sampling: { priority: AUTO_KEEP },
+          _tags: { 'http.endpoint': '/api/users' },
+        }),
+      }
+      webStub.root.returns(spanWithBoth)
+      webStub.getContext.returns({ paths: ['/users/:id'], span: spanWithBoth })
+
+      const key = apiSecuritySampler.computeKey(req, res)
+      assert.equal(key, 'GET/users/:id200')
+    })
+
+    it('should handle missing http.endpoint gracefully', () => {
+      const spanWithoutEndpoint = {
+        context: sinon.stub().returns({
+          _sampling: { priority: AUTO_KEEP },
+          _tags: {},
+        }),
+      }
+      webStub.root.returns(spanWithoutEndpoint)
+      webStub.getContext.returns({ paths: [], span: spanWithoutEndpoint })
+
+      const key = apiSecuritySampler.computeKey(req, res)
+      assert.equal(key, 'GET200')
+    })
+
+    it('should handle missing span gracefully', () => {
+      webStub.getContext.returns({ paths: [], span: null })
+
+      const key = apiSecuritySampler.computeKey(req, res)
+      assert.equal(key, 'GET200')
+    })
+
+    it('should sample different endpoints separately', () => {
+      const span1 = {
+        context: sinon.stub().returns({
+          _sampling: { priority: AUTO_KEEP },
+          _tags: { 'http.endpoint': '/api/users' },
+        }),
+      }
+      const span2 = {
+        context: sinon.stub().returns({
+          _sampling: { priority: AUTO_KEEP },
+          _tags: { 'http.endpoint': '/api/products' },
+        }),
+      }
+
+      webStub.root.returns(span1)
+      webStub.getContext.returns({ paths: [], span: span1 })
+      assert.ok(apiSecuritySampler.sampleRequest(req, res, true))
+
+      webStub.root.returns(span2)
+      webStub.getContext.returns({ paths: [], span: span2 })
+      assert.ok(apiSecuritySampler.sampleRequest(req, res, true))
+
+      const key1 = apiSecuritySampler.computeKey(req, res)
+      webStub.getContext.returns({ paths: [], span: span1 })
+      const key2 = apiSecuritySampler.computeKey(req, res)
+
+      assert.notEqual(key1, key2)
+    })
+  })
 })
diff --git a/packages/dd-trace/test/appsec/api_security_sampling.integration.spec.js b/packages/dd-trace/test/appsec/api_security_sampling.integration.spec.js
diff --git a/packages/dd-trace/test/appsec/resources/api_security_sampling-app.js b/packages/dd-trace/test/appsec/resources/api_security_sampling-app.js
diff --git a/packages/dd-trace/test/appsec/waf/index.spec.js b/packages/dd-trace/test/appsec/waf/index.spec.js

Original file line number	Diff line number	Diff line change
`@@ -233,6 +233,9 @@ function incomingHttpEndTranslator ({ req, res }) {`
`233`	`233`	`persistent[addresses.HTTP_INCOMING_QUERY] = query`
`234`	`234`	`}`
`235`	`235`
	`236`	`+ // This hook runs before span finish, so ensure route/endpoint tags are available before API Security sampling runs.`
	`237`	`+ web.setRouteOrEndpointTag(req)`
	`238`	`+`
`236`	`239`	`if (apiSecuritySampler.sampleRequest(req, res, true)) {`
`237`	`240`	`persistent[addresses.WAF_CONTEXT_PROCESSOR] = { 'extract-schema': true }`
`238`	`241`	`}`
Original file line number	Diff line number	Diff line change
`@@ -122,7 +122,7 @@ function run (data, req, raspRule) {`
`122`	`122`	`}`
`123`	`123`
`124`	`124`	`const wafContext = waf.wafManager.getWAFContext(req)`
`125`		`- const result = wafContext.run(data, raspRule)`
	`125`	`+ const result = wafContext.run(data, raspRule, req)`
`126`	`126`
`127`	`127`	`if (result?.keep) {`
`128`	`128`	`if (limiter.isAllowed()) {`
Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ class WAFContextWrapper {`
`22`	`22`	`this.cachedUserIdResults = new Map()`
`23`	`23`	`}`
`24`	`24`
`25`		`- run ({ persistent, ephemeral }, raspRule) {`
	`25`	`+ run ({ persistent, ephemeral }, raspRule, req) {`
`26`	`26`	`if (this.ddwafContext.disposed) {`
`27`	`27`	`log.warn('[ASM] Calling run on a disposed context')`
`28`	`28`	`if (raspRule) {`
`@@ -141,10 +141,10 @@ class WAFContextWrapper {`
`141`	`141`	`metrics.wafTimeout = result.timeout`
`142`	`142`
`143`	`143`	`if (ruleTriggered) {`
`144`		`- Reporter.reportAttack(result)`
	`144`	`+ Reporter.reportAttack(result, req)`
`145`	`145`	`}`
`146`	`146`
`147`		`- Reporter.reportAttributes(result.attributes)`
	`147`	`+ Reporter.reportAttributes(result.attributes, req)`
`148`	`148`
`149`	`149`	`return result`
`150`	`150`	`} catch (err) {`
`@@ -156,7 +156,7 @@ class WAFContextWrapper {`
`156`	`156`	`wafRunFinished.publish({ payload })`
`157`	`157`	`}`
`158`	`158`
`159`		`- Reporter.reportMetrics(metrics, raspRule)`
	`159`	`+ Reporter.reportMetrics(metrics, raspRule, req)`
`160`	`160`	`}`
`161`	`161`	`}`
`162`	`162`